Open jmarrero opened 1 month ago
If I change the policy.json I see:
DEBU[0000] Overall: allowed
TRACE open_image:impl_request: completed request self=ImageProxy imgref="docker://registry.redhat.io/rhel9/rhel-bootc:9.4" self=ImageProxy method="OpenImage"
TRACE impl_request: sending request GetManifest self=ImageProxy method="GetManifest"
DEBU[0000] GET https://registry.redhat.io/v2/rhel9/rhel-bootc/manifests/sha256:68100781edd6317a9c9f419374568a641b8402b1901740cfd38cdd20db902caf
DEBU[0001] Content-Type from manifest GET is "application/vnd.oci.image.manifest.v1+json"
TRACE impl_request: completed request self=ImageProxy method="GetManifest"
DEBUG finish_pipe: closing pipe self=ImageProxy pipeid=8
TRACE finish_pipe:impl_request: sending request FinishPipe self=ImageProxy pipeid=8 self=ImageProxy method="FinishPipe"
TRACE finish_pipe:impl_request: completed request self=ImageProxy pipeid=8 self=ImageProxy method="FinishPipe"
TRACE impl_request: sending request GetFullConfig self=ImageProxy method="GetFullConfig"
Maybe we can change the validation to happen during or after getManifest since it looks like at that point we would have the SHA that has the signature. We fail right now on OpenImage.
Also another way to avoid this is to sign the Digest. To get the digest you must sign you can run:
skopeo inspect docker://registry.redhat.io/rhel9/rhel-bootc:9.4 | jq .Digest
The error is seen by using rpm-ostree or bootc to do a deployment of a signed image:
By adding:
and
before: https://github.com/containers/containers-image-proxy-rs/blob/main/src/imageproxy.rs#L227
I was able to print
Printing the skopeo debug output which shows:
This does not pull any signatures.
However when we try skopeo copy we see:
Which correctly pulls the signatures, however this code goes thru this path: https://github.com/containers/image/blob/8c7c58c5aacd70fe8bc25da54f966a59baf175b0/copy/copy.go#L318
This path looks at the image-index and checks signatures only for the system image.
This path as I understand we avoid, and implement our own way of pulling using the skopeo/proxy https://github.com/containers/skopeo/blob/main/cmd/skopeo/proxy.go#L412
I am still not sure if the fix should be here or in skopeo/proxy, but my undestanding right now is that we have to implement something similar to what containers/image/copy does.
Ultimately this blocks any deployment when a more strict
/etc/containers/policy.json
is defined such as when using RHEL.Currently a workaround is to use the Manifest List Digest: such as: registry.redhat.io/rhel9/rhel-bootc@sha256:68100781edd6317a9c9f419374568a641b8402b1901740cfd38cdd20db902caf
instead of the tag.